How to really erase any drive -- even SSDs -- in 2016

You may already know that “deleting” a file does nothing of the sort. Securely erasing drives before you sell a computer keeps your personal information from falling into the wrong hands. Good news: it’s easier than ever to fully erase data.

There are easier and safer methods for erasing hard drives – including SSDs – than 10 years ago. Windows has two easy methods and Mac OS X has another. They are built into the operating system and are free to use. But I also include another method for regulated industries or frequent erasures.

SSDs – now the standard in Ultrabooks and Macs – are a little different. Thanks to the Flash Translation Layer (FTL) your OS doesn’t know where the data is physically. As a result the Mac’s “Secure Empty Trash” command has been removed because it can’t be sure that the data is actually gone. But there’s an easy workaround for SSDs: encrypt, reformat, and re-encrypt, which is described below.

SECURE ERASE

Delete doesn’t delete your data. All that delete does is erase file’s reference information in the disk directory, marking the blocks as free for reuse. Your data is still there, even though the OS can’t see it. That’s what “file recovery” programs look for: data in blocks that the directory says aren’t in use.

The Secure Erase command built in to the ATA standard overwrites every track on the disk – including bad blocks, the data left at the end of partly overwritten blocks, directories, everything. There is no data recovery from Secure Erase.

Secure Erase is a pain to use because most motherboard BIOSes have disabled it, reasoning that people wouldn’t understand that it would vaporize their data forever, leading to costly grief counseling with phone support. But there are other ways to achieve data security.

ENCRYPT, REFORMAT AND ENCRYPT AGAIN

Full disk encryption is built into Windows (Vista, 7, 8, & 10) and Mac OS X. The versions on both OSs work on any attached drive. However the Windows encryption tool – BitLocker – usually requires a system with a TPM (Trusted Platform Module) chip. If your system doesn’t have TPM, you won’t be able to access BitLocker or you’ll get an error message if you try. (This varies with Windows releases and versions, so don’t be surprised at what you get.)

Windows

To try BitLocker, go the Control Panel, click System and Security, and then click on BitLocker Drive Encryption. Select the drive and start the process. Encryption will take hours on a large disk, but you should be able to do other work on the system while encryption completes.

If you don’t have a TPM chip, or the right version of Windows, you can still erase a drive by performing a standard – NOT quick – format of the drive. Go to Control Panel, click Computer Management, click Storage, then Disk Management, then the drive you want to erase. Right click on the disk, choose New Simple Volume, and let the wizard guide you, until you get to the Format window, where you’ll make sure that Perform a quick format is NOT checked.

A standard format overwrites the entire drive and, on a hard drive, will take hours. If a hard drive format takes less than a minute, go back and make sure you’re doing a standard format.

Mac OS

The Mac OS FileVault 2 (10.7 and later) function is accessed from System Preferences>Security & Privacy>FileVault. Choose Turn On FileVault, select a password option, enable any other accounts you want to access the drive – in this case none – and click Restart. The encryption process will begin and, like Windows, will take some hours if you have a large drive.

ENCRYPTED. NOW WHAT?

After your drives are encrypted, you can now reformat the drive as a new drive, and encrypt it again. Since the drive is now empty, the second encryption will be much faster.

The second encryption ensures your first encryption key – which is usually kept on the drive – is overwritten. A zealous decrypter could recover the key and decrypt your data. But with the second encryption they can only recover the second key, and, since the older data is also encrypted, they still can’t read it.

LEGAL REQUIREMENTS?

If you work in a regulated industry – such as health care or finance – with a regulatory or fiduciary responsibility for data protection, the foregoing will protect the data, but may not protect you against claims for mishandled data. For that you need something stronger.

Try the StarTech Standalone Eraser Dock. It will invoke the ATA Secure Erase function and print a receipt to document that fact. Since the Secure Erase option is NIST approved, and better than the DOD requires, you have strong legal protection. But it does require removing drives from enclosures.

A faster option: drive a 10 penny nail through the drive’s disk platters. Few players will attempt a recovery from a physically damaged drive.

THE STORAGE BITS TAKE

After you’ve used a system for a year or so you probably have no idea how much and what sensitive data is stored on it. Sanitizing the entire drive – which external tools like DBAN can’t do, although they are better than nothing – is a smart move.

Unlike the hard to use internal Secure Erase function, these methods of overwriting or encrypting are easily accessed in Windows and Mac OS. Protect your data and sleep in peace.